When this book showed up (review copy) I initially thought what a piece of garbage. Like a previous commenter said, the book has a lackluster cover and its small and skinny.BUT, I flipped through and noticed that it contained lots of little "truths" 3-4 pages in length that quickly covered specific topics related to identity theft and protecting yourself online. So I decided to give it a shot.

The book is broken into 9 parts:

Part 1: The Truth About Phishing and VishingPart 2: The Truth About TrashPart 3: The Truth About No-Tech Identity TheftPart 4: The Truth About Just How Low Identity Thieves Will GoPart 5: The Truth About Identity Theft in Plain SightPart 6: The Truth About Online ConsPart 7: The Truth About Security at WorkPart 8: The Truth About Identity Theft from Real VictimsPart 9: The Truth About Putting a Stop to Identity Theft

Again, each part consists of several 3-4 page vignettes on topics related to the section and each vignette, while short, yields some actionable information on the topic. I didnt have any specific favorites, they were all good. Just about all of them were real world examples that they author conducted during security assessments or real life examples from people that had contacted the author or stories he had heard. Its sometimes much easier to emphasize with Susan who was a victim of identify theft and the troubles she was having trying to set things right. Of real value was the part on Putting a Stop to Identity Theft which tells you how to get rid of the pre-certified credit card offers, checking your credit reports, actions to take if you are a victim of identity theft and some of the pitfalls that can come up during the process.

So why 4 stars? Well mostly because I review technical security books it wouldn't be fair to give a less technical book that doesn't yield "new" (but still useful) information 5 stars when other more technical books are graded much harsher. So that being said, if I had approached it being a less technical reviewer I would have easily given it 5 stars. If you want to get a book for mom and dad to protect to help them protect themselves from themselves and the rest of the bad guys out there this is the book for them. Unfortunately I finished it too close to Xmas to give copies as gifts.

Monday, December 22, 2008

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

Details:The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

Thursday, December 11, 2008

So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].

A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.

Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!

Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.

So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.

Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!

We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.

I guess I should do a video of the module since Chris has started that trend but in the interim...